We are currently migrating Bugzilla to GitHub issues.
Any changes made to the bug tracker now will be lost, so please do not post new bugs or make changes to them.
When we're done, all bug URLs will redirect to their equivalent location on the new bug tracker.

Bug 4626 - a null-pointer-dereference in function stdio_read
Summary: a null-pointer-dereference in function stdio_read
Status: RESOLVED FIXED
Alias: None
Product: SDL_image
Classification: Unclassified
Component: misc (show other bugs)
Version: 2.0.4
Hardware: x86_64 Linux
: P2 normal
Assignee: Sam Lantinga
QA Contact: Sam Lantinga
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-05-09 06:44 UTC by pwd
Modified: 2019-07-31 02:04 UTC (History)
3 users (show)

See Also:

Attachments
poc (257 bytes, application/gzip)
2019-05-09 06:44 UTC, pwd 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description pwd 2019-05-09 06:44:04 UTC 
Created attachment 3778 [details]
poc

# libsdl2

## version

    libsdl2 2.0.9

## others

    please send email to  teamseri0us360@gmail.com if you have any questions.

---------------------

## libc.so.60x94480@___SEGV_UNKNOW

### description

    An issue was discovered in libsdl2 2.0.9 with SDL2_image-2.0.4, There is a null-pointer-dereference in function libc.so.60x94480 at 

### commandline

    loadjpg  @@ 

### source

```c
// Breakpoint 1, stdio_read (context=0x60700000dfb0, ptr=0x7fffffffe460, size=2, maxnum=1) at /src/libsdl2/src/file/SDL_rwops.c:385
// 385         nread = fread(ptr, size, maxnum, context->hidden.stdio.fp);
// (gdb) c 11
// Will ignore next 10 crossings of breakpoint 1.  Continuing.

// Breakpoint 1, stdio_read (context=0x60700000dfb0, ptr=0x0, size=1, maxnum=1) at /src/libsdl2/src/file/SDL_rwops.c:385
// 385         nread = fread(ptr, size, maxnum, context->hidden.stdio.fp);
// (gdb) p ptr
// $2 = (void *) 0x0
// (gdb)
```

### bug report

```txt
ASAN:DEADLYSIGNAL
=================================================================
==4334==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f43724b0481 bp 0x000000000010 sp 0x7ffefadce5d8 T0)
    #0 0x7f43724b0480  (/lib/x86_64-linux-gnu/libc.so.6+0x94480)
    #1 0x7f4372494fd2  (/lib/x86_64-linux-gnu/libc.so.6+0x78fd2)
    #2 0x7f437248a235 in fread (/lib/x86_64-linux-gnu/libc.so.6+0x6e235)
    #3 0x7f43733e304d in stdio_read /src/libsdl2/src/file/SDL_rwops.c:385:13
    #4 0x7f4373947b6a in IMG_LoadPCX_RW /src/SDL2_image-2.0.4/IMG_pcx.c:158:17
    #5 0x7f43739369bd in IMG_LoadTyped_RW /src/SDL2_image-2.0.4/IMG.c:195:17
    #6 0x7f4373935f41 in IMG_Load /src/SDL2_image-2.0.4/IMG.c:136:12
    #7 0x4ea140 in main /src/loadjpg.c:8:37
    #8 0x7f437243c82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #9 0x418a38 in _start (/src/aflbuild/installed/bin/loadjpg+0x418a38)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0x94480) 
==4334==ABORTING

```

### others

    from fuzz project pwd-libsdl2-loadjpg-00
    crash name pwd-libsdl2-loadjpg-00-00000008-20190418.jpg
    Auto-generated by pyspider at 2019-04-18 07:02:09
Comment 1 Hugo Lefeuvre 2019-05-29 13:30:03 UTC 
This was assigned CVE-2019-12217.

I can confirm that this is an issue in SDL_image.

The underlying bug is the same as #4628 (CVE-2019-12221). It is also fixed by the same patch ([PATCH] pcx: do not write directly to row buffer).

Please see https://bugzilla.libsdl.org/show_bug.cgi?id=4628
Comment 2 Sam Lantinga 2019-06-10 23:22:04 UTC 
This is fixed, thanks!
Comment 3 Castro B 2019-06-19 10:52:26 UTC 
Thank you! Fix

Castro B,
http://sitederencontrebelge.be